/Describe the bug/
I download install rukoviditel 2.7.2
An authenticated malicious user can take advantage of a Stored XSS vulnerability in the "users_alerts" feature.
To Reproduce
/Steps to reproduce the behavior/:
1, Login into the panel
2. Go to '/rukovoditel_2.7.2/index.php?module=users_alerts/'
3. Add new 'users_alerts'
4. Insert payload: "><img src=xx onerror=alert ('document.domain) >
5. Save and BOOM!!!! Alert XSS Message
/Expected behavior/
The removal of script tags is not sufficient to prevent an XSS attack. You must HTML Entity encode any output that is reflected back to the page.
/Screenshots/
The text was updated successfully, but these errors were encountered:
/Describe the bug/
I download install rukoviditel 2.7.2
An authenticated malicious user can take advantage of a Stored XSS vulnerability in the "users_alerts" feature.
To Reproduce
/Steps to reproduce the behavior/:
1, Login into the panel
2. Go to '/rukovoditel_2.7.2/index.php?module=users_alerts/'
3. Add new 'users_alerts'
4. Insert payload: "><img src=xx onerror=alert ('document.domain) >
5. Save and BOOM!!!! Alert XSS Message
/Expected behavior/
The removal of script tags is not sufficient to prevent an XSS attack. You must HTML Entity encode any output that is reflected back to the page.
/Screenshots/


The text was updated successfully, but these errors were encountered: